Allow TLS name mismatch as per RFC7671 Section 5.1

2025-10-30 06:16:06 +08:00 · 2025-03-21 20:05:02 +01:00 · 2025-03-21 20:05:02 +01:00 · a8bdf3949b
commit a8bdf3949b
parent c0eb3a5ae8
1 changed files with 4 additions and 1 deletions
--- a/crates/smtp/src/outbound/delivery.rs
+++ b/crates/smtp/src/outbound/delivery.rs
@ -967,7 +967,10 @@ impl QueuedMessage {
                        || (message.flags & MAIL_REQUIRETLS) != 0
                        || mta_sts_policy.is_some()
                        || dane_policy.is_some();
-                    let tls_connector = if allow_invalid_certs || remote_host.allow_invalid_certs()
+                    // As per RFC7671 Section 5.1, DANE-EE(3) allows name mismatch
+                    let tls_connector = if allow_invalid_certs
+                        || remote_host.allow_invalid_certs()
+                        || dane_policy.as_ref().is_some_and(|t| t.has_end_entities)
                    {
                        &server.inner.data.smtp_connectors.dummy_verify
                    } else {